New rules announced in Singapore after SolarWinds vulnerability affects companies around the world

The Monetary Authority of Singapore now requires all financial institutions to audit the suppliers of their technology vendors

SINGAPORE – All financial services and fintech companies in Singapore should, from Monday (Jan 18), observe a brand new set of central banking guidelines to mitigate cyber threats in the wake of a recent cyber attack which impacted organizations around the globe.

The Monetary Authority of Singapore (MAS) now requires all financial establishments to evaluate the suppliers of their technology vendors.

In a typical evaluation, suppliers could also be requested to show that their software source code is rigorously tested and they don’t use unsafe programming practices. Suppliers might also be requested to disclose their safety measures and the way they monitor and manage cyber risks.

The up to date guidelines apply to all banks, payment processors like GrabPay and Singtel Dash, and also brokerage and insurance providers.

Mr Vincent Loy, assistant managing director of technology at MAS, said that using an external vendor which may in turn procure third-party solutions brings critical risks to banking sector.

“Unknown third-party suppliers are what MAS is most worried about… Financial institutions that do not allocate sufficient financial resources may be more open to unknown third-party suppliers,” he stated.

The hacking of Texas-based SolarWinds, a number one supplier of IT management software, had subjected thousands of corporations and government entities around the globe to risks.

SolarWinds’ IT management tools are common parts within the products of many giant vendors including Microsoft, FireEye and Cisco Systems.

Mr Tan Yeow Seng, the MAS chief cyber security officer, stated financial sector is more and more reliant on third-party service suppliers as they adopt new technologies.

“The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions,” he added.

An evaluation of third-party suppliers was previously not required under the MAS Technology Risk Management (TRM) guidelines, though due diligence on technology vendors was a must.

The screening of component suppliers is now clearly spelt out within the revised TRM guidelines, which cover a variety of topics to assist firms fob off and recover from cyber assaults and system failures.

Risks from using open application programming interface (API), a code that lets different applications communicate to another, are also addressed within the newly updated TRM guidelines.

Banks have used APIs to automatically share foreign exchange rates, for instance. This has allowed many external developers to build forex conversion apps utilizing the data.

Under the revised TRM guidelines, financial services firms should vet entities that access their APIs by looking at the nature of their business, cyber security posture, business reputation and track record.

They should additionally secure the development of the APIs and encrypt delicate data transmitted to prevent leaks or hackers injecting malicious codes in the APIs.

In another key change to the TRM guidelines, the board of directors and senior management in financial establishments should vet and approve key technology and cyber-security personnel.

“Organizations that do not have a good cyber-security posture usually do not have board and senior management oversight for IT functions and key appointments,” stated Mr Loy, citing findings of the central bank’s own audits.

Last revised in 2013, the TRM guidelines have been updated at a time of increased information sharing that underpins the sector’s digital transformation.

The revision took in suggestions from a public consultation in 2019 and different expert engagements.

The guidelines elaborate on the obligatory requirements set out within the MAS TRM notice, first issued in 2013 and which carries a fine of up to 100,000 SGD ($75.220) for non-compliance under the Banking Act.

In the case of a continuing offence, an additional fine of up to 10,000 SGD ($7.522) daily could also be levied.

Reserve Bank of New Zealand’s IT system breached in cyber attack

The Reserve Bank of New Zealand's IT system breached in cyber attack

New Zealand’s reserve bank is working with cyber security specialists to assist it understand the affects of a breach of a third-party file-sharing system used to share and store info.

The Reserve Bank of New Zealand (Te Pūtea Matua) stated it had been instructed the assault was not particularly geared toward it, and other users of the file-sharing system from Accellion, generally known as File Transfer Application, have been also compromised.

The financial institution, alongside cyber safety specialists, is working to ascertain “the nature and extent of information that has been potentially accessed” and stated the compromised information “may include” commercially and personally delicate info.

Adrian Orr, governor of the Reserve Bank of New Zealand, stated the breach is contained and the financial institution is at present working to establish what info has been affected.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation,” Orr stated in a press release. “This contains the Government Communications Security Bureau’s National Cyber Security Centre [NCSC], which has been notified and is offering steering and recommendation.

No additional particulars of the assault have been accessible. “We recognise the public interest in this incident,” Orr added. “However, we are not in a position to provide further details at this time.”

Part of the explanation for not revealing extra particulars is to keep away from adversely have an effect on the investigation and the steps being taken to mitigate the breach, stated the financial institution.

The financial institution stated its predominant features are unaffected and it stays open for enterprise. “Our core functions and New Zealand’s financial system remain sound, and Te Pūtea Matua is open for business,” stated Orr. “This includes our markets operations and management of the cash and payments systems.”

The system has been secured and brought offline whereas investigations are below means and the financial institution is speaking with system customers about other ways to share information securely. “It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed,” it stated.

New Zealand’s monetary sector was shaken just lately by a significant attack on the country’s stock exchange, which was hit by an unprecedented volumetric distributed denial of service (DDoS) attack final August. That assault was one other instance of cyber attackers breaching by a third-party provider’s service. 

Like central banks, inventory exchanges are very important to a functioning economic system, and even a brief outage may cause financial havoc.

New Zealand’s NCSC published a report in November that stated the nation’s “nationally significant organisations continue to be the target of frequent cyber attacks from a range of malicious actors”.

The report stated that from July 2019 to the tip of June 2020, the NCSC recorded 352 cyber safety incidents at nationally important organisations, in contrast with 339 incidents within the earlier 12 months. It added that 30% have been linked to state-sponsored actors.

The NCSC identified that the variety of incidents recorded was a small proportion of the overall incidents affecting New Zealand and New Zealanders. “This is because of our focus on providing support for nationally significant organizations and response to potentially high-impact cyber security events,” it stated.

Top 10 biggest cyber attacks of 2020

Toll Group cyber attack

Here is a list of 10 of the largest cyber attacks of a pandemic-dominated 2020, including several devastating ransomware incidents and a massive supply chain attack.

A pandemic-focused year made the events of 2020 unprecedented in numerous ways, and the cyber attacks were no different.

As the world transitioned to virtual everything — work, school, meetings and family gatherings — attackers took notice. Attackers embraced new techniques and a hurried switch to remote access increased cyberthreats across the board. For example, K-12 schools took a brunt of the hit, and new lows were reached like the exfiltration of student data. The list of top cyber attacks from 2020 include ransomware, phishing, data leaks, breaches and a devastating supply chain attack with a scope like no other. The virtually-dominated year raised new concerns around security postures and practices, which will continue into 2021.

While there were too many incidents to choose from, here is a list of 10 of the biggest cyber attacks of 2020, in chronological order.

  1. Toll Group

Toll Group tops the list for the year’s worst cyber attacks because it was hit by ransomware twice in three months. However, a spokesperson for Toll Group told SearchSecurity the two incidents were not connected and were “based on different forms of ransomware.” On Feb. 3 the Australia-based logistics company announced on Twitter that it had suffered a cyber attack. “As a precautionary measure, Toll has made the decision to shut down a number of systems in response to a cyber security incident. Several Toll customer-facing applications are impacted as a result. Our immediate priority is to resume services to customers as soon as possible,” Toll Group wrote on Twitter. The most recent attack occurred in May and involved a relatively new ransomware variant: Nefilim.

  1. Marriott International

For the second time in two years, the popular hotel chain suffered a data breach. On March 31, Marriott released a statement disclosing the information of 5.2 million guests was accessed using the login credentials of two employees at a franchise property. According to the notice, the breach affected an application used by Marriott to provide guest services. “We believe this activity started in mid-January 2020,” the statement said. “Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.” While the investigation is ongoing, Marriott said it has no reason to believe that the information included the Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers. However, compromised information may have involved contact details and information relating to customer loyalty accounts, but not passwords.

  1. Magellan

On May 12, the healthcare insurance giant issued a letter to victims stating it had suffered a ransomware attack. Threat actors had successfully exfiltrated logins, personal information and tax information. The scope of the attack included eight Magellan Health entities and approximately 365,000 patients may have been impacted. “On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” the letter said. The company, which has over 10,000 employees, said at the time of the letter they were not aware of any fraud or misuse of any of the personal information. Phishing, a common attack vector, intensified over the year as threat actors refined their impersonation skills.

  1. Twitter

The popular social media company was breached in July by three individuals in an embarrassing incident that saw several high-profile Twitter accounts hijacked. Through a social engineering attack, later confirmed by Twitter to be phone phishing, the attackers stole employees’ credentials and gained access to the company’s internal management systems; dozens of high-profile accounts including those of former President Barack Obama, Amazon CEO Jeff Bezos, and Tesla and SpaceX CEO Elon Musk, were hacked. The threat actors then used the accounts to tweet out bitcoin scams that earned them over $100,000. Two weeks after the breach, the Department of Justice (DoJ) arraigned the three suspects and charged 17-year-old Graham Ivan Clark as an adult for the attack he allegedly “masterminded,” according to authorities.

  1. Garmin

The navigation tech supplier suffered a cyber attack that encrypted some of its systems and forced services offline. Though Garmin first reported it as an outage, the company revealed on July 27 that it was the victim of a cyber attack which resulted in the disruption of “website functions, customer support, customer-facing applications, and company communications.” The press release also stated there was no indication that any customer data was accessed, lost or stolen. Speculation rose that the incident was a ransomware attack, although Garmin never confirmed. In addition, several media outlets reported that they gave in to the attackers’ demands, and a ransom had been paid. Some news outlets reported it as high as $10 million.

  1. Clark County School District

The attack on the Clark County School District (CCSD) in Nevada revealed a new security risk: the exposure of student data. CCSD revealed it was hit by a ransomware attack on Aug. 27 which may have resulted in the theft of student data. After the district declined to pay the ransom, an update was posted saying it was aware of media reports claiming student data had been exposed on the internet as retribution. While it’s unclear what information was, the threat of exposing stolen student data was a new low for threat actors and represented a shift to identity theft in attacks on schools.

  1. Software AG

The German software giant was the victim of a double extortion attack that started on Oct. 3, which resulted in a forced shutdown of internal systems and ultimately a major data leak. Files were encrypted and stolen by operators behind the Clop ransomware. According to multiple news outlets, a $20 million ransom was demanded, which Software AG declined to pay. As a result, the ransomware gang followed through with its promise and published confidential data on a data leak site including employees’ passport details, internal emails and financial information. Operators behind the Clop ransomware weren’t the only group utilizing a double extortion attack. The name-and-shame tactic became increasingly common throughout 2020 and is now the standard practice for several ransomware gangs.

  1. Vastaamo Psychotherapy Centre

The largest private psychotherapy provider in Finland confirmed it had become the victim of a data breach on October 21, where threat actors stole confidential patient records. The attack set a new precedent; rather than making demands of the organization, patients were blackmailed directly. As of last month, 25,000 criminal reports had been submitted to Finland police. In addition, the government’s overall response to the incident was significant, both in urgency and sensitivity. Finland’s interior minister called an emergency meeting with key cabinet members and provided emergency counseling services to potential victims of the extortion scheme.

  1. FireEye and SolarWinds supply chain attack victims

FireEye set off a chain of events on Dec. 8th when it disclosed that suspected nation-state hackers had breached the security vendor and obtained FireEye’s red team tools. On Dec. 13, the company disclosed that the nation-state attack was the result of a massive supply chain attack on SolarWinds. FireEye dubbed the backdoor campaign “UNC2452” and said it allowed threat actors to gain access to numerous government and enterprise networks across the globe. According to a joint statement Dec. 17 by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, the attacks are ongoing. Additionally, the statement revealed that the supply chain attack affected more than just the Orion platform. CISA said it has “evidence that the Orion supply chain compromise is not the only initial infection vector leveraged by the APT actor.” Since the statement, major tech companies such as Intel, Nvidia and Cisco disclosed they had received the malicious SolarWinds updates, though the companies said they’ve found no evidence that threat actors exploited the backdoors and breached their networks. However, Microsoft disclosed on Dec. 31 that threat actors infiltrated its network and viewed — but did not alter or obtain — the company’s source code. Microsoft also said there is no evidence the breach affected customer data or the company’s products and services.

  1. SolarWinds

The scope of the attack, the sophistication of the threat actors and the high-profile victims affected make this not only the biggest attack of 2020, but possibly of the decade. The incident also highlights the dangers of supply chain attacks and brings into question the security posture of such a large company. Threat actors, who had performed reconnaissance since March, planted a backdoor in SolarWinds’ Orion platform, which was activated when customers updated the software. SolarWinds issued a security advisory about the backdoor which the vendor said affected Orion Platform versions 2019.4 HF5 through 2020.2.1, which were released between March 2020 and June 2020. “We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted and manually executed attack, as opposed to a broad, system-wide attack,” the company said. In the three-week-long investigation since, the full breadth of the attack has grown immensely, but is still not yet fully understood.

Cyber-Attack on US Laboratory

Cyber-Attack on US Laboratory

An American laboratory specializing in home phlebotomy has disclosed a cyber-attack that occurred five months ago after data stolen in the attack turned up online.

Apex Laboratory opened in 1997 and is based in Farmingdale, New York. The company has provided medical testing services to hundreds of home health agencies and thousands of physicians in New York and South Florida.

On July 25, 2020, Apex learned that it had become the victim of a cyber-attack that rendered certain files and systems inaccessible. Network access was restored along with the impacted data, and the company resumed normal operations on July 27. 

A third-party cyber forensic analyst was hired by Apex to investigate the attack. The investigation found no evidence of unauthorized access or acquisition of patient information, and Apex did not disclose the incident. 

However, Apex discovered last month that the cyber-criminals behind the attack had stolen “personal and health information for some patients” and posted it online on their blog. Information believed to have been taken includes patient names, dates of birth, test results, and, for some individuals, Social Security numbers and phone numbers.

Apex is yet to reveal how many patients were impacted by the incident, but the laboratory did say that the information stolen by the threat actors could have been pinched over a four-day period. 

“It is believed that this information may have been acquired from Apex’s systems between July 21, 2020 and July 25, 2020,” stated Apex. 

From a notice of data event posted by Apex on December 31, the attack sounds like it might have involved ransomware.  

The notice states: “On July 25, 2020, Apex Laboratory of Farmingdale, NY (‘Apex’) discovered that it was the victim of a cyber-attack and that certain systems in its environment were encrypted and inaccessible.”

Apex didn’t say that it paid a ransom to the cyber-attackers; however, the speedy restoration of the impacted data and the removal of the stolen data from the hacker’s blog might suggest some communication between the criminals and their victim has occurred. 

The company said that it is “unaware of any actual or attempted misuse of any information other than the extracting of this data as part of the cyber-attack.”